Atomic cross-chain swaps are one of the few smart contracts whose usefulness is widely understood. Swapping BTC for LTC (and vice-versa) trustlessly would enable decentralized exchanges, cut out middlemen, free the masses from tyranny, and do all those other things we like to get excited about. At the very least, it means I could quit going through the KYC process with every single exchange in the world.
As the ecosystem of Bitcoin forks grows, it's easy to imagine a decentralized exchange matching swaps across chains. Multi-step swaps connecting illiquid chains via the Bitcoin "gold standard." A vast network of value exchanged autonomously and seamlessly across the Merkle Forest.
I'd like to take a moment to talk about why atomic swaps aren't going to make that happen, and why their usefulness is grossly overestimated.
HTLC
The core of the atomic swap is what we like to call Hashed Timelocked Contracts (HTLCs). An HTLC is a simple smart contract. It pays out if a secret is revealed, and refunds the money otherwise. HTLCs have been used to make some simple proof-of-concepts, like Greg Maxwell's pay-for-sudoku, but haven't seen wide adoption yet. They're a critical element in the Lightning Network, and almost any other 2nd layer solution. HTLCs are amazing, and I want to see them all over the place.
An HTLC has a few basic components. There's a recipient address, an expiry date, a hashed secret, and funds. These are set in advance, and can't be changed. The recipient may retrieve the funds if they know the plaintext, unhashed secret, but must do so before the duration expires. After the duration has expired, the original owner may retrieve the funds.
Atomic Cross-chain Swaps
One of the neat things about HTLCs is that the exact same HTLC can run on multiple chains. Most Bitcoin forks can use near-identical HTLCs. A cross-chain swap involves setting up two similar HTLCs on two separate chains.
Here's the skinny (this is mostly a restatement of the amazing Zcash blog post linked above):
Alice makes an HTLC on chain A with Bob's address as the recipient, which expires after 144 blocks, and has the hash of a large random number as the hashed secret. Alice places 5 ACoin in the HTLC.
Bob, seeing Alice's HTLC, makes a new HTLC on chain B. This HTLC pays Alice's address, times out after 72 blocks, and has the same hashed secret as Alice's HTLC. Bob places 10 BCoin in the HTLC.
Alice may now claim Bob's coins from chain B. To do so, she makes a new transaction on chain B. In this transaction Alice must reveal the unhashed secret.
Once Bob sees Alice claiming the coins, he can look at the transaction. So Bob learns the private key, and uses it to claim the coins on chain A.
So now Bob is sure that Alice can't get his coins from chain B without giving up her coins on chain A. Bob and Alice swap coins across chains without a third-party intermediary. Pretty cool right?
Welllllll.........
Call options
You see, "atomic cross-chain swap" is a fancy name for an extremely old and well-known structure: a call option. A call option is a "derivative", a type of financial contract. A call option gives one party the right to buy something at a set price (the strike price) from the other party before an expiry date. If I think that AMD is likely to rise, I might buy a call on AMD stock. This locks in a specific price for me, and once AMD goes up, I can exercise my option, purchase the stock, and immediately resell it at profit.
Let's take another look at the four steps of a cross-chain swap.
In step 1, Alice locks up 5 ACoin. Then in step 2 Bob locks up 10 Bcoin with a 72 block expiry. For the next 72 blocks (the expiry date), Alice has the right to purchase 10 Bcoin at a price of 2 BCoin per ACoin (the strike price). After step 2, Bob can no longer decide to back out of the deal; he is obligated to proceed. However, Alice can still choose to back out or execute the trade. Bob has given Alice the right to buy BCoin at a set price in a certain time window. That's a call option. At any time before the expiry, Alice may complete step 3 and exercise her option.
Problem: Market Fluctuation/Manipulation
Cross-chain swaps don't happen in a vacuum, but in the context of a larger market. Alice's evaluation of the option is linked to the price of ACoin and BCoin in an external reference.
Because the purchase is at Alice's option, she can wait to see what the market does before deciding whether to complete the transaction. If Alice sees the market move against BCoin, she can decline to purchase Bob's coins.
Take this a step further: once Alice has locked in a price from Bob, she can manipulate ACoin and BCoin markets to maximize her profit. If Alice is say, a whale, an exchange, or capable of creating FUD, Alice can attempt to increase the price of BCoin to extract additional profit and decrease the price of ACoin in order to harm Bob.
Another option: Alice can attempt to find a third party, Charlie, willing to buy 10 BCoin for >5 ACoin. Alice can then execute both swaps near-simultaneously, and take a profit simply for matching trades. Instead of eliminating middlemen, cross-chain swaps encourage middlemen to lock up opportunities and then arbitrage them.
Problem: Premiums
In a call option on a traditional financial market, Alice would pay Bob a small amount, called a "premium." Bob is assuming risk and by writing the option, and so Alice pays him in advance for the service. Bob gets to keep the premium no matter what. The premium scales with the risk Bob takes. More volatile markets and longer durations means increased premiums.
There's no analog for this in the current formulation of cross-chain swaps, which leaves Bob extremely vulnerable to market fluctuations. This means that Bob must greatly undervalue Alice's ACoins and give Alice an unfavorable strike price in order to have a reasonable chance of profit. Bob is assuming most of the risk, and must squeeze Alice.
In a traditional call option, the writer, Bob, does not lose access to assets during the option period. He can do whatever he wants, so long as he can meet his obligations to Alice when the option is exercised. Often, Bob will not even own the asset he is writing a call for!
Conversely, in a cross-chain swap, Bob cannot do anything with his BCoin for the duration of the option. Because his coins are escrowed in the HTLC, he incurs additional opportunity costs. He loses any profit he may have made with those coins for the duration of the HTLC.
Bob, thus, is taking more risk by writing calls on volatile assets, and has higher costs. Alice, on the other hand, benefits from guaranteed execution of the trade. She has no risk that Bob will default. Alice is getting better service than a traditional option, while Bob is incurring more risk. Therefore we should expect that premiums paid for cross-chain swaps should be much greater than for equivalent traditional call options. If Alice wants guaranteed execution of her option, she must pay Bob for it.
Problem: I'm Not a Lawyer But Here's My Armchair Legal Advice
If a cross-chain swap is a call option, and a call option is a derivative, then a cross-chain swap is a derivative. Derivatives are regulated by the CFTC. I don't know what sort of requirements the CFTC places on the writer of an over-the-counter call option, and I'd hazard a guess that the average Bitcoin user doesn't either.
In addition, because the assets are virtual currencies, Bob, Alice, or both might qualify as currency exchangers - a type of money services business (MSB). FinCEN has explicitly stated that individuals and businesses exchanging a virtual currency for another virtual currency are money transmitters and must register as MSBs. FinCEN is known to issue orange jumpsuits to people who cross it, and to complicate things further, money transmission is also regulated on the state level.
I'm not a lawyer, but I'd sure as hell call one before participating in cross-chain swaps on the regular.
Solutions?
Well, I dunno. I mostly wanted to rain on the parade a little bit. I think there are some compelling avenues to pursue though. Regulation designed to protect purchasers are less applicable when execution of the trade is guaranteed. Alice could pay Bob a premium in either ACoin or BCoin in the setup transactions. If cross-chain swaps are treated as call options, rather than simple currency exchanges, then the external market is a feature, not a bug.
Until these solutions are developed, and users have developed the sophistication to understand the role of call options, I'm going to be bearish on atomic cross-chain swaps. The current iteration is not honest or safe.
I hope that as this field progresses, we'll devise guaranteed execution schemes for more and more derivatives. I also hope that we will be smart enough to recognize their traditional analogs and how guaranteed versions fit in existing regulatory regimes and existing markets. These are new breeds of financial contracts, and I'm excited to see how they evolve.